Star Blizzard, a threat actor tied to the Russian Federal Security Service (FSB), was spotted attempting to compromise targets’ WhatsApp accounts through a clever phishing campaign.
The campaign
The campaign started with a spear-phishing email that was made to look like it was sent by a US government official.
“We have established a private WhatsApp group to facilitate discussions regarding the latest non-govermental initiatives aimed at supporting Ukraine. This platform will also serve as a means to coordinate the distribution of government-allocated funds for this purpose,” the email says. “You can join us using this QR code below.”
The QR code doesn’t work, though, pushing the victim to reply to say as much. Then, the attackers send a second email, with a shortened link instead of a QR code.
The link leads to a spoofed WhatsApp webpage asking them to go through several steps to join the group.
The spoofed WhatsApp page, with the QR code obscured (Source: Microsoft Threat Intelligence)
“However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” Microsoft’s threat analysts explained.
“This means that if the target follows the instructions on this page, the threat actor can gain access to the messages in their WhatsApp account and have the capability to exfiltrate this data using existing browser plugins, which are designed for exporting WhatsApp messages from an account accessed via WhatsApp Web.”
About Star Blizzard
The campaign seems to have been aimed at non-governmental organization (NGO) employees and, according to Microsoft, it started in mid-November and ended by the end of the month.
Nevertheless, it shows how Star Blizzard changes its tactics, techniques, and procedures (TTPs) and persists in achieving its goals.
“Star Blizzard’s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations researchers whose work touches on Russia, and sources of assistance to Ukraine related to the war with Russia,” the threat analysts noted.
They’ve also been known to target Russian citizens residing in the US, UK citizens, and computer networks belonging to NATO.
In late 2024, the Microsoft and the US Justice Department seized 100+ domains used the group, ans set the stage for further disruption any new infrastructure through an existing court proceeding.
